b"March 14, 2001\nAudit Report No. 01-007\n\n\nAudit of the FDIC\xe2\x80\x99s Information\nTechnology Risk Management Program\n\x0c                          TABLE OF CONTENTS\n\n\nBACKGROUND                                                 1\n\nOBJECTIVE, SCOPE, AND METHODOLOGY                          3\n\nRESULTS OF AUDIT                                           4\n\nPROGRAM SUPPORT NEEDS TO BE ENHANCED                       6\n\nSAQs AND RELATED PROCEDURES CAN BE ENHANCED                7\n\nENHANCED PROCEDURES CAN PRODUCE MORE EFFECTIVE ISRs        9\n\nIMPROVED CONTRACTOR OVERSIGHT CAN ENHANCE\nTHE ISR PROCESS                                           11\n\nCORRECTIVE ACTION PROGRAM NEEDS TO BE IMPLEMENTED         12\n\nINVOLVEMENT OF ISS DURING APPLICATION DEVELOPMENT\nIS CRITICAL TO AN EFFECTIVE IT RISK MANAGEMENT PROGRAM    13\n\n\nCONCLUSION                                                14\n\nCORPORATION COMMENTS AND OIG EVALUATION                   14\n\nFIGURES\n     Figure 1: Risk Management Process for Applications    3\n\n\nAPPENDIX I \xe2\x80\x93 CORPORATION COMMENTS                         15\n\nAPPENDIX II \xe2\x80\x93 MANAGEMENT RESPONSES TO RECOMMENDATIONS     18\n\x0cFederal Deposit Insurance Corporation                                                            Office of Audits\nWashington, D.C. 20434                                                               Office of Inspector General\n\n\n\n\n   DATE:                          March 14, 2001\n\n   TO:                            Donald C. Demitros, Chief Information Officer and\n                                  Director, Division of Information Resources Management\n\n\n   FROM:                          David H. Loewenstein\n                                  Assistant Inspector General\n\n\n\n   SUBJECT:         Audit of the FDIC\xe2\x80\x99s Information Technology Risk Management Program\n                    (Audit Report Number 01-007)\n\n\n   The FDIC\xe2\x80\x99s Office of Inspector General (OIG) has completed an audit of the FDIC\xe2\x80\x99s Information\n   Technology Risk Management Program. The FDIC initiated this program in 1997 to comply with\n   federal regulations that require federal agencies to develop policies and procedures that will identify\n   and mitigate risks related to information technology (IT). At the time of the audit, the program was\n   evolving in that the Division of Information Resources Management (DIRM) was either planning or\n   implementing procedural modifications to correct weaknesses noted by its staff and the U.S.\n   General Accounting Office (GAO). While working on a related audit, we identified the need to\n   more fully evaluate DIRM\xe2\x80\x99s IT risk management program, particularly DIRM\xe2\x80\x99s actions to complete\n   security plans and independent security reviews. In the interest of timely attention to problem areas,\n   we focused our resources to quickly research and identify actions needed to resolve the issues\n   through a collaborative effort with DIRM management and staff. This \xe2\x80\x9creal-time\xe2\x80\x9d collaboration\n   proved successful in that issues were immediately discussed and most recommended actions were\n   immediately initiated.\n\n\n   BACKGROUND\n\n   The FDIC\xe2\x80\x99s IT risk management program was designed to identify the applications that process\n   sensitive corporate data and determine their ability to safeguard the confidentiality and reliability\n   of the data. The program is critical to safeguarding the FDIC\xe2\x80\x99s infrastructure and is based on and\n   required by Office of Management and Budget (OMB) Circular A-130, Appendix III, \xe2\x80\x9cSecurity of\n   Federal Automated Information Resources.\xe2\x80\x9d OMB requires agencies to identify their major\n   applications and general support systems and implement four controls to manage IT risk. The\n   four control requirements are: (1) assignment of responsibility for security, (2) security plans,\n   (3) periodic independent security reviews (ISRs), and (4) management authorizations. OMB\xe2\x80\x99s\n   definitions related to these control requirements follow.\n\x0c       \xe2\x80\xa2   Major applications are defined as applications that require special security attention\n           by management due to the magnitude of harm that could result from improper\n           operation, inappropriate access, or unauthorized modification. General support\n           systems are the operating systems and utilities that support the operation of\n           applications.\n\n       \xe2\x80\xa2   ISRs, conducted by the FDIC or its contractors, assess the risk of the application or\n           system by reviewing and reporting on security control weaknesses that need to be\n           corrected. The ISR process is based on guidance provided by the National Institute of\n           Standards and Technology (NIST) and Federal Information Processing Standards\n           (FIPS) and should be performed every 3 years.\n\n       \xe2\x80\xa2   Security plans are written documents that provide an overview of the security\n           requirements for the system or application. The security plan should be developed\n           during the application\xe2\x80\x99s development and serve as the basis for subsequent\n           management authorizations.\n\n       \xe2\x80\xa2   The Sensitivity Assessment Questionnaires (SAQ) are questionnaires that are\n           completed by application system users to assess the confidentiality, integrity, and\n           availability of data processed by the system. The answers are assigned a numerical\n           score. Any applications scoring above a specified numerical threshold are considered\n           major and, thus, require an ISR, security plan, and subsequent management\n           authorization.\n\nThe FDIC\xe2\x80\x99s IT risk management program, as documented in Circular 1310.3, mirrors these OMB\nrequirements. As shown in figure 1, DIRM\xe2\x80\x99s Information Security Section (ISS) distributes the\nSAQs to all division managers responsible for the application\xe2\x80\x99s security and then scores their\ncompleted questionnaires. Applications that are identified as major are passed to the risk\nmanagement program manager who schedules the applications or general support systems for ISRs.\nThe resulting ISR report is presented to the user and the appropriate DIRM unit and identifies\ncontrol weaknesses and the needed corrective actions to mitigate the IT risk. Division managers\ndocument their acceptance of the report\xe2\x80\x99s conclusions, particularly the IT risks and the resulting\nrecommendations, by signing a management authorization. The management authorization\nacknowledges the ISR that lists the weaknesses identified and the needed corrective actions, and can\nalso cite recommendations that will not be acted upon. By signing the management authorization,\nthe managers accept the risks associated with not resolving these issues.\n\n\n\n\n                                                 2\n\x0cFigure 1: Risk Management Process for Applications\n\n\n                      Sensitivity\n                      Assessment\n                      Questionnaire\n                      Completed\n\n\n\n\n                                            Security\n    No           No                   Yes    Plan\n    additional            Scored\n                          \xe2\x80\x9cMajor\xe2\x80\x9d           required\n    action\n\n\n                                            Independent           Risks Identified and   Management\n                                            Security Review       Corrective Actions     Authorizes        Repeat every\n                                            Conducted.            Recommended.           Application       three years.\n                                                                                         for Production.\n\n\n\n\nIn 1999, using its SAQ process, DIRM identified 70 applications as major applications. In\nanticipation of performing these ISRs, the FDIC retained an independent contractor at a cost of\napproximately $4.6 million over 3 years. Contractor costs associated with completing each\napplication ISR total approximately $50,000, while contractor costs for general support system\nISRs total approximately $100,000. This financial commitment indicates the FDIC\xe2\x80\x99s intent to\ndevelop an effective risk management program, particularly when comparing DIRM\xe2\x80\x99s program\nto other federal agencies that we observed. Our \xe2\x80\x9cbest practices\xe2\x80\x9d review of six federal agencies\xe2\x80\x99\nprograms1 that comply with OMB A-130 indicated that the FDIC had the most comprehensive\nand ambitious IT risk program. However, during its audit of the FDIC\xe2\x80\x99s 1999 financial\nstatements, GAO released a management letter, dated July 27, 2000, raising concerns about the\nadequacy of the FDIC\xe2\x80\x99s IT security environment. The letter reported weaknesses in the FDIC\xe2\x80\x99s\nrisk management program, particularly noting that the FDIC had not fully or adequately\ncompleted ISRs and security plans. These issues cited by GAO still existed at the initiation of\nour audit.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine the effectiveness of the FDIC\xe2\x80\x99s risk management\nprogram in addressing the security-related requirements contained in OMB A-130, Appendix III.\nThe audit was performed in \xe2\x80\x9creal-time\xe2\x80\x9d in that we worked with DIRM while they were determining\nor implementing their internal program modifications. As we developed our conclusions and\nrecommendations for program improvement, we communicated them to DIRM. DIRM, in turn,\napproved and implemented many of these modifications during fieldwork. The audit scope\n\n1\n National Credit Union Association, Office of Thrift Supervision, U.S. Postal Service, Department of Agriculture,\nDepartment of Transportation, and the Office of the Comptroller of the Currency\n\n\n                                                              3\n\x0caugmented the issues raised by the GAO management letter by identifying the underlying\nmanagement issues causing the risk-related conditions documented by GAO.\n\nTo address our objective, we reviewed the original and updated versions of the FDIC\xe2\x80\x99s risk\nmanagement procedures as well as the federal government requirements for implementing a risk\nmanagement program. OMB Circular A-130 summarizes the four required components described\nearlier, while FIPS and NIST documents detail more specifically how the four components should\nbe designed and completed. We determined the FDIC\xe2\x80\x99s compliance with these components by\nreviewing a judgmental sample of two ISRs conducted during 1999 and two others conducted\nduring 2000. Each sample included a major application and a general support system. We also\nreviewed all completed SAQs, security plans, and management authorizations for major\napplications for the year 2000 to determine: (1) their compliance with federal and FDIC regulations\nand (2) the effectiveness and reliability of the SAQs in identifying the major applications.\n\nWe reviewed schedules and matrices that DIRM developed during our fieldwork to schedule and\ntrack the SAQs, ISRs, security plans, and management authorizations. We also reviewed existing\nschedules and matrices that supported the corrective action process. We interviewed ISS staff and\nthe risk management program manager and reviewed the FDIC\xe2\x80\x99s policies and procedures with\nrespect to IT risk management. We interviewed representatives of five FDIC divisions and offices\nto capture their ideas for possible improvements for ISRs and the overall risk management program,\nand we performed a \xe2\x80\x9cbest practices\xe2\x80\x9d review of six outside agencies to obtain an understanding of\ntheir risk management procedures.\n\nThe audit was performed between July 1, 2000 and October 12, 2000 and covered IT risk\nmanagement activities for the period of January 1, 2000 through September 9, 2000. The audit was\nconducted in accordance with generally accepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nThe FDIC\xe2\x80\x99s IT strategic plan includes many control initiatives designed to manage and minimize IT\nrisk. Recent additions to the plan include, but are not limited to, the development of:\n(1) corporate-wide security training, (2) enhanced virus protection capabilities, (3) public key\ninfrastructure (PKI),2 (4) intrusion detection capabilities, and (5) an IT incident response program.\nAdditionally, our \xe2\x80\x9cbest practices\xe2\x80\x9d research with six federal agencies indicated that the FDIC risk\nmanagement program compared favorably with other agencies we researched.\n\nHowever, the FDIC\xe2\x80\x99s risk management program is not yet fully effective in addressing all the\nrequirements of OMB A-130 and, thereby, controlling risk to the Corporation\xe2\x80\x99s IT\ninfrastructure. The program has been evolving and DIRM continues to strive to improve it.\nMany improvements have either recently been made, are in process, or have been planned.\nWe believe that most of the program weaknesses can be resolved with management adjustments.\nInterestingly, one of these adjustments entails DIRM reducing the number of applications\ndesignated as major and, therefore requiring an ISR. This reduction will permit resources\n\n2\n  PKI is a cryptography method using computer hardware and software to establish trusted information sharing among\na select group of people.\n\n\n                                                        4\n\x0ccommitted to performing ISRs to be reassigned to other security issues and may also result in\ncost savings of $2.2 million every 3 years by reducing the number of required ISRs to be\nperformed every 3 years (funds to be put to better use - $2.2 million). DIRM recently reduced the\nnumber of major applications requiring ISRs from 70 to 26 based on discussions with our office\nand DIRM\xe2\x80\x99s clients.\n\nAdjustments that will further enhance the program include administration modifications that\nwould require a formal, documented reporting system to track the scheduling and completion of\nthe program\xe2\x80\x99s milestones and documents. Concerning scheduling, DIRM did not prioritize\ngeneral support systems and applications when scheduling ISRs. The ISRs for general support\nsystems, particularly the mainframe and the network, should be completed first because they\nimpact the security of all applications operating within their platform. The general support\nsystem ISRs should be followed by ISRs of the major applications that pose the greatest risk to\nthe FDIC.\n\nThe process of using the SAQ as the sole tool to select major applications resulted in an excessive\nnumber of ISRs. This was confirmed from interviews with clients, our review of federal agencies\xe2\x80\x99\nbest practices, and our internal analysis. Client representatives indicated the SAQ was confusing and\ntoo subjective and they did not always agree with DIRM's resulting selection of their applications\nbeing considered major. Federal agency IT managers we interviewed employ a more centralized\napproach whereby one manager analyzes all applications and chooses the optimum number of major\napplications. This approach minimizes the possibility that the program will become overburdened\nand thus jeopardize the program\xe2\x80\x99s primary goals of providing effective, in-depth security reviews.\nOur internal analysis determined that the SAQ contained some questions that were not reliable in\nmeasuring sensitivity, thereby allowing application sensitivity scores that determine major\napplications to be inflated. To enhance the reliability of the SAQ process, DIRM has agreed to\ndiscuss the SAQ scores and other factors with the users to arrive at a mutual decision on which\napplications or functions require a security review.\n\nThe ISR supporting procedures also need to be modified to enhance the effectiveness of the ISR\nand the resulting corrective actions. Client representatives stated that ISRs were limited because\nthey focused solely on application controls rather than on controls related to an overall business\nprocess or function. By broadening the ISR scope in this manner, the FDIC would have increased\nassurance that the overall control environment supporting the application was evaluated and\nimproved. Additionally, client representatives indicated that the conditions and resulting\ncorrective actions were often outside their control and this drawback impacted their willingness to\nsupport the ISR findings, conclusions, and corrective actions. DIRM agreed that improved\ncommunications with systems\xe2\x80\x99 users would enhance the effectiveness of ISRs.\n\nWe noted opportunities to improve contractor oversight of the ISR process. ISR findings and major\nconclusions were not consistently or adequately supported by working paper documentation.\nFurther, DIRM did not consistently review and ensure the preparation of supporting working papers\nby its contractor. Finally, DIRM did not adequately review contractor invoices to ensure the\naccuracy of time charges and costs related to ISR activities.\n\n\n\n\n                                                 5\n\x0cAlthough DIRM had identified over 700 corrective actions through the ISR process, none have\nbeen resolved. At the beginning of our fieldwork, DIRM had not implemented a system to: (1)\nidentify the corporate officials responsible for corrective actions resulting from ISRs, (2)\neffectively track resolution of the actions, and (3) document timeframes for completing the\nactions. The effectiveness of review activities is dependent on the program\xe2\x80\x99s ability to resolve\nany noted weaknesses. If the issues are not resolved, the efforts to identify them are negated.\n\nThe issues noted above play an important and direct role in the effectiveness of the FDIC\xe2\x80\x99s IT risk\nmanagement program. An indirect but equally important component to strengthening the program\nand minimizing risk is the need for ISS to be involved during the development of new applications.\nFDIC Circular 1320.3 and DIRM\xe2\x80\x99s application development procedures require that application\nsecurity be adequately analyzed and designed prior to implementation. DIRM had not ensured\nadequate ISS involvement at this critical stage.\n\nThe OIG and DIRM agree that a successful risk management program is dependent on a strong ISS\nrole in reviewing and approving application security during the system development process. ISS\xe2\x80\x99s\nearly involvement can help ensure that adequate security controls are incorporated that will not only\nsafeguard the specific application data but assist in managing IT risk corporate-wide. To ensure ISS\ninvolvement, DIRM should adopt a system development strategy similar to one used by other federal\nagencies that prohibits the implementation of any major application until information security\nofficials have reviewed and approved the security design.\n\n\nPROGRAM SUPPORT NEEDS TO BE ENHANCED\n\nDuring our early fieldwork, DIRM had not developed a formal inventory of applications and general\nsupport systems determined to be major which would thus require action to ensure a successful IT\nrisk management program. Without such an inventory, DIRM was unable to centrally track the\nstatus of and prioritize SAQs, ISRs, security plans, management authorizations, and corrective\nactions. OMB A-130 requires that ISRs be scheduled such that general support systems are\nreviewed first since they have a major impact on the security of all applications within the\nenvironment. Further, DIRM had not implemented a centralized system for filing and cataloging\ndocumentation created during the various components of its program. Finally, DIRM did not\nroutinely obtain and review OIG and GAO work related to the application or general support system\nunder review in an effort to reduce the scope of its ISRs.\n\nOMB A-130 and prudent management dictate that resources be prioritized to ensure that ISRs of\ngeneral support systems are performed first. ISRs for general support systems impact all\napplications on the platform and provide the framework for all related applications, particularly\napplications that have the largest impact to overall security. By first identifying and resolving\nsecurity weaknesses related to general support systems, such as mainframe computer and\ncommunication network operations, security for all applications is strengthened. Without a\nformal inventory, DIRM cannot take full advantage of this scheduling strategy.\n\nDIRM also did not have a system to catalog and file documentation related to its IT risk\nmanagement program. As a result, DIRM experienced difficulties in locating documentation,\n\n\n\n                                                 6\n\x0cdetermining the FDIC\xe2\x80\x99s major applications, and developing an effective risk management\nschedule for performing ISRs. Because of the extensive budget for the ISR program and the\nimportance of these documents to the IT risk management program and the FDIC\xe2\x80\x99s overall IT\nsecurity, a cataloging and filing system is needed.\n\nFinally, ISS personnel did not routinely take advantage of available resources that could reduce\nthe scope of ISRs. The OIG and GAO conduct audits that include similar objectives and steps to\nthose followed during the performance of ISRs. Additionally, the FDIC\xe2\x80\x99s divisions and offices\nperform internal reviews that include objectives that could benefit and support ISRs. DIRM\xe2\x80\x99s\nISS can improve the effectiveness and efficiency of the ISR process by contacting these divisions\nand offices to determine whether they have performed work that could benefit and reduce the\nscope of planned ISRs.\n\nDuring the course of our audit and in response to our suggestions, DIRM developed a tracking\nmatrix and central filing system. In response to additional suggestions, DIRM improved the\nmatrix by including additional information to track actual versus planned dates and expanded\ncertain fields where multiple deliverables are expected. Additionally, DIRM stated it was aware\nof the need for ISR schedules to be prioritized. To initiate this enhanced process, DIRM\nscheduled ISRs for the mainframe and Division of Finance applications to be completed by the\nend of the 2000.\n\nRecommendation\n\nWe recommend that the Director, DIRM, and CIO:\n\n(1) Update the ISR procedure manual to require that: (a) DIRM schedule and prioritize ISRs for\n    general support systems and applications based on their impact to security within the entire\n    IT environment and (b) ISS coordinate with OIG, GAO, and the appropriate FDIC division\n    or office to obtain relevant information on the work performed by those offices when\n    initiating future ISRs.\n\n\nSAQs AND RELATED PROCEDURES CAN BE ENHANCED\n\nThe FDIC can improve its process for determining major systems to be supported by its IT risk\nmanagement program. OMB A-130 requires that federal entities assess the sensitivity of internal\napplication systems and related data. The purpose of this process is to identify the entity\xe2\x80\x99s major\nsystems that require ISRs and related risk management documentation. At the initiation of our\nfieldwork, the FDIC employed a 3-page Sensitivity Assessment Questionnaire (SAQ) as the sole\nmeans of determining its major applications. Using the SAQ, each division answered questions\nrelating to an application\xe2\x80\x99s sensitivity based on confidentiality, data integrity, and availability.\nDIRM\xe2\x80\x99s ISS assigned a score to each application based on the responses to the SAQ.\nApplications that were scored above a specific threshold were deemed major and scheduled for\nan ISR.\n\n\n\n\n                                                 7\n\x0cOur analysis of the SAQ process, discussions with officials from FDIC divisions and offices, and\nreview of best practices employed by other federal agencies support the need to supplement the\nSAQ with additional processes to determine major applications. Interviews with representatives\nfrom five of DIRM\xe2\x80\x99s major client divisions illustrate a lack of confidence in the SAQ as the sole\ndeterminant in identifying the FDIC\xe2\x80\x99s major applications. The client representatives indicated\nthat the SAQ questions were confusing and subjective and that they completed the SAQ without\nclearly understanding the questions. The client representatives also indicated that they did not\nalways agree with DIRM\xe2\x80\x99s designation of major applications but were not afforded the\nopportunity to discuss the designations with DIRM.\n\nWe reviewed the SAQ template and all 26 SAQs performed during 2000 that resulted in\ndesignating a system as major. Our review determined that some questions contained in the\ntemplate were not reliable in measuring sensitivity, particularly in the area of data integrity. The\nSAQ is divided into three parts: data integrity, confidentiality, and availability. Each category\ncomprises one-third of the points in determining major applications. We noted that two\nquestions in the data integrity category could reasonably be answered such that all applications\nwould receive the highest score for this category. With this scoring flaw, the number of major\napplications may be overstated because applications that do not require the strongest of controls\nto protect data integrity and may possess only moderate risk regarding confidentiality or\navailability of data may be classified as major.\n\nOur review of best practices of six other federal entities concluded that other agencies did not\nemploy a process similar to the SAQ in determining their \xe2\x80\x9cmajor\xe2\x80\x9d applications. Instead of\nrelying on clients when identifying major applications, these agencies relied on a centralized IT\nsecurity manager to designate applications as \xe2\x80\x9cmajor.\xe2\x80\x9d The process provided for a more\nconsistent designation because it permitted a single official to analyze all applications within the\norganization\xe2\x80\x99s IT environment and determine which should be considered \xe2\x80\x9cmajor.\xe2\x80\x9d This\nprocess also resulted in fewer systems being designated as major, minimizing the possibility that\nthe risk management program will become overburdened and jeopardize the program\xe2\x80\x99s primary\ngoal of providing effective, in-depth security reviews for the most critical applications. GAO\naddresses this concept in its publication entitled Information Security Risk Assessment, Practices\nof Leading Organizations which states that: \xe2\x80\x9cperforming risk assessments for more than 10 to 20\napplications would become overwhelming, cumbersome, and strain limited resources.\xe2\x80\x9d\n\nAn additional benefit of selecting the optimum number of \xe2\x80\x9cmajor\xe2\x80\x9d applications requiring ISRs is\nthe potential cost savings associated with performing the ISRs. During 1999, DIRM, using its\nSAQ process, identified 70 applications as major and requiring an ISR. However, following\ndiscussions with our office regarding the ISR process and the activities of other federal agencies,\nDIRM implemented modified procedures including more in-depth discussions with division\nmanagers regarding the results of the SAQ process. These modified procedures resulted in\nreducing the number of major applications requiring ISRs from 70 to 26. Based on DIRM\xe2\x80\x99s\nestimates of the cost of ISRs, this reduction could reduce contractor costs by as much as $2.2\nmillion over the 3-year risk management program cycle. In addition, internal DIRM resources\nassociated with overseeing and administering the ISR portion of the risk management program\nshould be reduced.\n\n\n\n\n                                                 8\n\x0cThe OIG and ISS agree that the SAQ, with modification, is a tool that should continue to be used\nto identify the sensitivity level of an application and to assist in developing the security plan.\nEnhancing the SAQ process to reduce subjectivity and increase reliability will improve the\nFDIC\xe2\x80\x99s assessments of its major applications, better focus limited resources, and possibly reduce\ncosts associated with unnecessary efforts related to applications misclassified as major\napplications. During our fieldwork, ISS developed or implemented changes to improve the SAQ\nprocess. ISS met with DOF and DOS to jointly determine the major applications that require\nISRs. ISS, as described above, reduced the number of required ISRs from 70 to 26.\nAdditionally, to enhance the reliability of the SAQ process, ISS agreed to add an explanation box\nfor each SAQ question and modify the questions relating to data integrity.\n\n\nRecommendations\n\nWe recommend the Director, DIRM, and CIO should:\n\n(2) Modify the SAQ procedure manual to require meetings between ISS and the user to\n    determine major applications chosen for ISR review. (Funds to be put to better use - $2.2\n    million). (The OIG and DIRM agree that such meetings will complement the SAQ process\n    by ensuring the client clearly understands and agrees to the final SAQ score and the\n    applications that are chosen for future ISRs).\n\n(3) Develop new SAQ templates that include an explanation box for each question, and modify\n    the data integrity questions in the SAQ to enhance reliability of the responses. (The\n    explanation box will minimize the possibility of client confusion that could result in\n    unreliable SAQ scores).\n\n\nENHANCED PROCEDURES CAN PRODUCE MORE EFFECTIVE ISRs\n\nBy modifying ISR supporting procedures, ISS can enhance its effectiveness and the effectiveness\nand implementation of resulting corrective actions. Interviews with representatives of five of the\nFDIC\xe2\x80\x99s divisions and offices and our reviews of ISRs identified concerns regarding the\neffectiveness of ISRs in identifying risks and developing effective corrective actions. The\neffectiveness of ISRs was limited because of the ISRs\xe2\x80\x99 focus on individual application controls\nrather than on controls related to an overall business process or function. In addition, the\ndivision and office representatives receiving the ISR findings and corrective actions viewed them\nas redundant and outside their control.\n\nISR recipients in DIRM\xe2\x80\x99s client offices and divisions indicated their belief that many potential\nsecurity issues and weaknesses were overlooked because ISRs focused solely on controls related\nto a specific application. Our review of four completed ISRs confirmed that ISRs could be\nenhanced by consolidating the review of all applications and activities related to a corporate\nprocess or function. By broadening the scope of ISRs to include related processes and activities,\nthe FDIC would have increased assurance that the overall control environment related to a\nspecific corporate operation was evaluated and improved. Another potential benefit is improved\n\n\n\n                                                9\n\x0cefficiency and reduced costs in the performance of ISRs. ISRs are usually performed by a DIRM\ncontractor and typically cost the Corporation approximately $50,000 for each application and\n$100,000 for each support system. As mentioned earlier, DIRM has already begun to reduce the\nnumber of ISRs by enhancing the SAQ process and reducing the number of major systems. By\neliminating redundant steps in the performance of ISRs and reducing the number of ISRs by\nbroadening their scope to include related processes and activities, the FDIC may be able to\nfurther reduce the costs of administering the program.\n\nWhen developing ISRs, DIRM followed FIPS standards. These standards require specific ISR\nreview steps to be included in each ISR even though some of these review steps do not directly\napply to the application being audited and have been reviewed and documented in previous ISRs.\nDIRM can continue to address the FIPS requirements, enhance the quality of individual ISRs,\nand increase the confidence of its clients in the ISR process by noting in the report any finding\nthat was identified previously. The report should include the ISR where the finding was initiated\nand the manager and division responsible for the corrective action. Secondly, DIRM can meet\nthese ISR process goals by first conducting ISRs of the FDIC\xe2\x80\x99s general support systems. By\ndoing so, relevant DIRM components can act upon recommendations that affect all applications\nthat rely on the general support systems. Subsequently, during ISRs of individual applications or\nprocesses, DIRM can cite the general support system concerns that are relevant to individual\napplications or processes, note the timeframes for completing the recommended actions, and\nlimit their detailed discussions and recommendations to application or process-specific issues.\n\nApplication or process-specific ISR activities could also be improved by increased coordination\nbetween the ISR team and the clients. The ISR process could be both more efficient and\neffective if DIRM included the client in planning the ISR and performing fieldwork tasks. This\nclient involvement could reduce costs related to the ISR process and better focus the reviews on\nrisks identified by the client\xe2\x80\x99s routine use of the application and business process. The ISR team\ncould retain its required independence by overseeing and approving all work performed by the\nclient. To ensure the effectiveness and efficiency of the process, an agreement regarding the\nnature and extent of the user\xe2\x80\x99s responsibility should be documented in a Memorandum of\nUnderstanding (MOU) that would be completed after initial ISR discussions.\n\nRecommendations\n\nWe recommend that the Director, DIRM, and CIO:\n\n(4) Modify ISR procedures to require a meeting between the ISR team and managers before the\n    ISR is initiated. The meeting would include: (1) the ISR team educating the user on\n    applicable FIPS requirements, (2) the ISR team and user agreeing to the scope of the review\n    being either application-specific or based on functions or processes, and (3) the ISR team and\n    user signing a MOU that summarizes the agreements. The MOU should also include an\n    agreement on the extent of user involvement in the planning and completing of ISR review\n    steps.\n\n\n\n\n                                                10\n\x0c(5) Modify the ISR process such that findings outside the control of the user should still be listed\n    in the ISR but clearly identified as to the original ISR and the unit responsible for the\n    corrective actions.\n\n\nIMPROVED CONTRACTOR OVERSIGHT CAN ENHANCE THE ISR PROCESS\n\nWe noted opportunities to improve contractor oversight for the ISR process. The conclusions and\nreview activities contained in contractor-performed ISRs were not adequately supported by working\npapers. Also, DIRM was not adequately reviewing the support for contractor conclusions or invoice\ndocumentation. To determine the adequacy of workpapers, we requested workpapers that would\nsupport findings and conclusions for the two 1999 ISRs that we reviewed for the audit. The\ncontractor's workpapers contained only emails and did not include schedules, calculations, or other\ndocumentation that would normally be expected to document conclusions reached and work\nperformed. The risk management program manager stated in interviews that he did not review\ncontractor workpapers because of lack of time and resources. The manager also stated he did not\nreview contractor invoices again because of time and resource constraints. Workpapers should be\nreviewed by the FDIC program manager to ensure that the appropriate procedures were completed\nand that support exists for potential conditions or areas found satisfactory. The manager should also\nreview invoice documents to evaluate the propriety of staff assignments and the amount of time that\nreasonably should have been expended on these tasks. Considering the costs associated with\nperforming ISRs, the sensitive nature of the contractor's work, and the impact of contractor\nconclusions on FDIC operations, effective oversight procedures are vital to ensure the viability and\nreliability of the FDIC\xe2\x80\x99s risk management program.\n\nDIRM and the OIG agreed that the reduction in the number of ISRs should assist in improving\nworking paper reviews and other oversight factors. We suggested and DIRM agreed to\nimplement control procedures to improve review and oversight activities. ISS stated that it will\nrequire invoice modifications to specifically identify that the staff and resources expended for\neach task conform to the contractual agreements and will develop procedures that will enhance\nconfirmation of time and task statements. Additionally, ISS indicated that it will consult with the\nOIG on developing working paper standards that will be required to support findings and\nconfirmation of important controls.\n\nRecommendation\n\nWe recommend that the Director, DIRM, and CIO:\n\n(6) Modify the ISR procedure manual to require that: (1) contractor tasks assignments state the\n    requirement for adequate contractor workpapers that support findings and confirmation of\n    major controls, (2) workpapers are timely reviewed and approved, and (3) invoices be\n    reviewed to confirm the time and personnel that were used for the ISRs.\n\n\n\n\n                                                 11\n\x0cCORRECTIVE ACTION PROGRAM NEEDS TO BE IMPLEMENTED\n\nAlthough DIRM had identified substantial security risks and developed recommended corrective\nactions to address these risks through its risk management program, it had not implemented a system\nto: (1) identify the corporate officials responsible for the corrective actions, (2) establish target dates\nfor completing the actions, and (3) track resolution of the actions. In addition, the absence of an\neffective tracking system reduced DIRM\xe2\x80\x99s ability to identify redundant corrective actions. As a\nresult, approximately 700 recommended ISR corrective actions remain unresolved as of the end of\nour fieldwork.\n\nMany of the 700 unresolved corrective actions are duplicates. As described before, ISRs would\ninclude identical review steps that had been completed in previous ISRs. If the review step resulted\nin a finding, the identical finding and corrective action noted in a previous ISR would be included in\nthe current ISR, thereby resulting in redundant issues. The number of duplicated corrective actions\ncannot be easily identified because DIRM does not employ an identifying number for the\nrecommendation nor assign a specific FDIC manager to be responsible for the resolution.\n\nThe effectiveness of any audit or internal review program depends on the program\xe2\x80\x99s ability to\nresolve any weaknesses identified in a timely manner. If the issues are not resolved, the efforts to\nidentify them are negated. An effective tracking system identifies the corrective actions needed, the\nofficials responsible for the actions, and the milestones for achieving the corrective actions. During\nour audit DIRM obtained agreement from the Office of Internal Control Management (OICM) to use\nthe Internal Review Information System (IRIS), OICM\xe2\x80\x99s system for tracking corrective actions\nrelated to OIG and GAO audits, to track corrective actions related to ISRs. DIRM began populating\nIRIS with ISR-recommended corrective actions in August 2000. This action will provide DIRM with\nenhanced abilities to ensure the timely implementation of needed corrective actions. Involving\nOICM and internal control liaisons (ICL) in tracking and implementation can further enhance the\neffectiveness of the process.\n\nOur review of the ISR data loaded into IRIS as of September 2000 identified the existence of a\nsignificant number of duplicate corrective actions. However, we were unable to quantify the number\nof duplicate actions loaded because DIRM had not developed a coding system to identify related\nrecommended actions. The use of such a code would ease DIRM efforts to cleanse the ISR data in\nIRIS and identify similar or redundant future corrective actions. This, in turn, will permit the\nCorporation to focus on and prioritize the actions needed to improve the FDIC\xe2\x80\x99s security posture and\nimprove client perceptions regarding the viability of the program.\n\nRecommendations\n\nWe recommend that the Director, DIRM, and CIO:\n\n(7) Design and implement a tracking report that employs ISR corrective action numbers and\n    identifies only one unit or individual responsible for resolution and the timeframes required.\n\n\n\n\n                                                    12\n\x0c(8) Modify ISR support procedures to require that OICM and internal control liaisons be involved in\n    monitoring and resolving corrective actions. These corrective actions should be tracked, and\n    results that are delayed should be communicated to the next level of management. If delays\n    become excessive, DIRM should distribute a report of outstanding corrective actions and submit\n    them to senior management, including the CFO, if the delays persist.\n\n\nINVOLVEMENT OF ISS DURING APPLICATION DEVELOPMENT IS CRITICAL TO\nAN EFFECTIVE IT RISK MANAGEMENT PROGRAM\n\nBecause DIRM had not ensured the involvement of ISS during the development of application\nsystems supporting corporate operations, it had not effectively identified security-related issues\nand solutions during the development process. FDIC Circular 1320.3 and FDIC\xe2\x80\x99s System\nDevelopment Life Cycle Manual require that ISS be involved in assessing security requirements\nduring development to ensure the development and implementation of adequate safeguards.\nOMB A-130 requires that, during the first part of the development phase, security requirements\nbe developed at the same time as functional requirements for the application. However, DIRM\nofficials advised that the goals associated with delivering system functionality to meet FDIC\nclients\xe2\x80\x99 operational requirements often caused this needed involvement to be overlooked.\n\nBy requiring ISS to review and approve the security architecture for an application during the\ndevelopment stage, DIRM can maximize the effectiveness of the risk management program.\nISS can help ensure that developers identify major applications through the ISR and then\ncomplete the resulting security plans and management authorizations. Many of the shortfalls in\nmeeting OMB A-130 security requirements could have been addressed during the application\ndevelopment process if DIRM had adhered to this required portion of its system development life\ncycle (SDLC). By strictly adhering to its SDLC requirement to involve ISS and consider\nsecurity requirements during the development process, DIRM can ensure that application-\nspecific security issues are addressed during application development and avoid future IT risk\nmanagement issues.\n\n\nRecommendation\n\nWe recommend that the Director, DIRM, and CIO:\n\n(9) Modify policies to include requirements that ISS must approve the security design of major\n    applications before an application can be placed into production. This review and approval\n    should be required for the security design, security plan, and management authorization.\n    Specifically, the procedures should: (1) require a security specialist to review the security\n    design for adequacy during the development stage and (2) require ISS management to\n    approve and sign off on the design prior to placing the application in production.\n\n\n\n\n                                                13\n\x0cCONCLUSION\n\nAs described above, we believe that the FDIC\xe2\x80\x99s risk management issues can be corrected by\nimplementing management modifications. One outcome of these modifications, particularly the\nmodifications related to the SAQ process, is that the number of required ISRs will likely be reduced\nand the costs of administering the program will be likewise reduced. This, combined with oversight\nand planning enhancements, should reduce overall costs, allow more resources to be committed to\neach ISR, particularly the general support systems and major applications. In addition, active client\ninvolvement should ensure enhanced ISR quality and increased client acceptance of ISR issues.\nFinally, DIRM actions to restrict applications from being implemented without ISS\xe2\x80\x99s review should\nenhance overall security and increase the manageability of the IT risk management program.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn February 12, 2001, the Director, DIRM, and CIO provided a written response to the draft\naudit report. The CIO and DIRM Director agreed with the report's findings and recommendations\nand provided the elements necessary for management decisions on all nine of the report's\nrecommendations. DIRM's response is presented in its entirety in Appendix I of this report.\n\nRegarding recommendation 6, the Director, DIRM and CIO indicated DIRM would prefer to\naddress the finding and recommendation as a contract management issue rather than as an\namendment to the ISR procedure manual. DIRM will ensure that the Oversight Manager for the\ncontract will be reminded, in writing, of his responsibilities relative to the management of the\ncontract. The Oversight Manager's supervisor will ensure that sound contract management and\ninvoice review processes are in place and are being followed. We agree that these actions are\nresponsive to our concerns and should resolve the weaknesses we noted concerning adequate\nreview of invoices and working papers.\n\nAs a result of our audit, we will report funds put to better use of $2.2 million over 3 years in our\nSemiannual Report to the Congress.\n\n\n\n\n                                                 14\n\x0c                       APPENDIX I\nCORPORATION COMMENTS\n\n\n\n\n         15\n\x0c                       APPENDIX I\nCORPORATION COMMENTS\n\n\n\n\n         16\n\x0c                       APPENDIX I\nCORPORATION COMMENTS\n\n\n\n\n         17\n\x0c                                                                                                                       APPENDIX II\n                                            MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual\nreports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are\nnecessary. First, the response must describe for each recommendation\n\n   !    the specific corrective actions already taken, if applicable;\n   !    corrective actions to be taken together with the expected completion dates for their implementation; and\n   !    documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any\ndisagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming\ncompletion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information\nfor management decisions is based on management\xe2\x80\x99s written response to our report.\n\n                                                                                               Documentation                       Management\n Rec.                                                                    Expected             That Will Confirm     Monetary       Decision: Yes\nNumber         Corrective Action: Taken or Planned/Status             Completion Date           Final Action        Benefits          or No\n            The ISR procedure manual will be updated to\n            include the ISR schedule and priority for general\n                                                                                              Updated procedures\n            support systems and applications. The ISR\n    1                                                                December 31, 2001         in ISR procedure        N/A              Yes\n            procedure manual will also document coordination\n                                                                                                    manual\n            with OIG, GAO, and appropriate FDIC offices and\n            divisions.\n                                                                                              Updated procedures   $2.2 million\n    2       ISS will update the SAQ procedure manual.                December 31, 2001         in SAQ procedure    over 3-year          Yes\n                                                                                                    manual          ISR cycle\n            ISS will modify SAQ template by: (1) including\n            explanation box for each question and (2)\n    3                                                                December 31, 2001           SAQ template          N/A              Yes\n            modifying data integrity questions identified in the\n            audit.\n\n                                                                              18\n\x0c                                                                                        Documentation                  Management\n Rec.                                                                Expected          That Will Confirm    Monetary   Decision: Yes\nNumber     Corrective Action: Taken or Planned/Status             Completion Date        Final Action       Benefits      or No\n         ISR procedure manual will be modified to include                              Updated procedures\n  4      educating the users on the FIPS requirements, scope      December 31, 2001     in ISR procedure      N/A          Yes\n         of the review, and MOU.                                                             manual\n         ISR procedure manual will be modified to require\n         findings outside the control of the user to still be                          Updated procedures\n  5      listed in the ISR but clearly identified as to the       December 31, 2001     in ISR procedure      N/A          Yes\n         original ISR and the unit responsible for the                                       manual\n         corrective actions.\n         A memorandum will be developed and given to the\n         Oversight Manager that will outline his                                        Memorandum to\n  6                                                               February 22, 2001                           N/A          Yes\n         responsibilities concerning workpaper and invoice                             Oversight Manager\n         reviews.\n         IRIS will include: (1) corporate officials responsible\n         for the corrective actions, (2) target dates, and (3)\n  7                                                                 June 30, 2001             IRIS            N/A          Yes\n         tracking data relative to resolution of the corrective\n         actions.\n         Corrective Action Report will be developed and\n                                                                                        Corrective Action\n  8      distributed to senior management for review and          September 30, 2001                          N/A          Yes\n                                                                                             Report\n         resolution.\n         System Development Life Cycle Policy will be\n         modified to require ISS approval of the security                              System Development\n  9                                                               September 30, 2001                          N/A          Yes\n         design of major applications before an application                             Life Cycle Policy\n         can be placed in production.\n\n\n\n\n                                                                          19\n\x0c"